CryptoWire Ransomware

With a ton of programs that try to rip you off by encrypting your files, there are also such applications as CryptoWire Ransomware. Our researchers say that this program is an “educational” ransomware infection that can “teach” users about the aspects of such undesirable intrusion. On the other hand, it does not make this program any less dangerous. Anyone who has been infected with the program, need to remove CryptoWire Ransomware as soon as possible because you will definitely not be able to operate your computer properly if you allow this application to remain in your system. Your system’s security should come first!

One of the points of this “educational” program is the fact that you can download it from github.com/brucecio9999/CryptoWire-Advanced-AutoIt-ransomware-Project. The program is written in AutoIt scripting language, and it can be used by anyone once they download it. We believe that you would not download such application willingly, so if it is there on your system, you must have been infected by someone who got access to your computer. With this program, there might be several distribution methods that can be applied by those who utilize it, so you should be careful when you go through your daily Internet routine.

Upon the infection, CryptoWire Ransomware will drop a copy of itself in the %PROGRAMFILES(x86)% directory. Usually, ransomware programs would scramble their filenames so users would not be able to recognize them, but that is not the case here. The installer file name is random already, so the infection probably sees no point in changing it. After that, the program runs a full system scan and deletes the Shadow copies of your files. Although an average user would not be able to utilize Shadow copies, with the help of a professional, it would be possible to restore damaged and encrypted files from them. So the ransomware infection makes it sure you cannot get your files back.

When the Shadow copies are deleted, CryptoWire Ransomware will start encrypting your files. During our tests, we have found that the program encrypts files in the %USERPROFILE% directory. This directory has many subfolders and sometimes even cloud drive folders are mapped there, so it could be that the ransomware could encrypt even copies of your files you keep on some cloud storage. On the other hand, if you have a folder that is not mapped under the %USERPROFILE% directory, it could be that those files will not be affected by the infection.

The ransomware will encrypt your files using the AES-256 encryption algorithm. This algorithm is commonly used by most of the ransomware infections. Also, you can easily tell which files have been affected by the program because the encrypted files will have a new extension added. For instance, if there was a file thanksgiving.jpg on your computer, after the encryption, the filename will look like: thanksgiving.encrypted.jpg. Needless to say, the system will not be able to open these encrypted files because the bytes that carry the file information will be scrambled in a way that the system cannot read them.

What goes next? When the encryption occurs, CryptoWire Ransomware displays a pop-up notification that says “Your files has been safely encrypted.” Aside from the fact that there is a grammar error in that statement, the infection could not be more obvious. It also says that “the only way you can recover your files is to buy a decryption key.” The infection expects you to pay in bitcoins, and you should pay around $200USD to get your files back.

As you can probably imagine, paying these criminals does not automatically entail that your files will be decrypted. They might just take your money and scram, not even bothering to issue a decryption key. Also, we have not found a public decryption tool for this infection yet.

Nevertheless, you can delete the infected files, and transfer healthy copies of your data from an external backup drive to your system, once you remove CryptoWire Ransomware from your computer. It is very likely that the infection might try encrypting healthy copies of your files again, so you should not take your chances.

If you think that manual removal is too much of a task for you, you can get rid of the infection automatically. For that, you will have to acquire a reliable antispyware tool. This is actually a good idea because a security tool of your choice would protect your PC from similar infections in the future.